Zero Day MonitorZDM

← Back to list

—

CVE-2026-3219PATCHED

python software foundation · pip

pip doesn't reject concatenated ZIP and tar archives

Description

pip handles concatenated tar and ZIP files as ZIP files regardless of filename or whether a file is both a tar and ZIP file. This behavior could result in confusing installation behavior, such as installing "incorrect" files according to the filename of the archive. New behavior only proceeds with installation if the file identifies uniquely as a ZIP or tar archive, not as both.

Affected Products

Vendor	Product	Versions
python software foundation	pip	0

References

Related News (2 articles)

Tier C

oss-security15h ago

Fwd: [CVE-2026-3219] pip doesn't reject concatenated ZIP and tar archives

→ No new info (linked only)

Tier C

VulDB18h ago

CVE-2026-3219 | Python Packaging Authority pip up to 26.0 ZIP File

→ No new info (linked only)

CISA KEV❌ No

Actively exploited❌ No

Patch available

26.1

CWECWE-434

PublishedApr 20, 2026

Last enriched12h agov3

Trending Score30

Source articles2

Independent2

Info Completeness8/14

Missing: cvss, epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

NONECVE-2026-6100EXP

Use-after-free in lzma.LZMADecompressor, bz2.BZ2Decompressor, and gzip.GzipFile after re-use under memory pressure

NONECVE-2026-4786EXP

Incomplete mitigation of CVE-2026-4519, %action expansion for command injection to webbrowser.open()

NONECVE-2026-5713EXP

Out-of-bounds read/write during remote profiling and asyncio process introspection when connecting to malicious target

NONECVE-2026-1502

HTTP client proxy tunnel headers not validated for CR/LF

NONECVE-2026-3446EXP

Base64 decoding stops at first padded quad by default

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 20, 2026

Discovered by ZDM

Apr 20, 2026

Updated: affectedVersions, severity

Apr 20, 2026

Updated: severity

Apr 20, 2026

Patch Available

Apr 20, 2026

Version History

v3

Last enriched 12h ago

v3Tier C15h ago

Updated severity to MEDIUM and corrected exploit availability to false.

severity

via oss-security

v2Tier C17h ago

Updated affected versions to include 26.0, changed severity to HIGH, and corrected exploit availability to false.

affectedVersionsseverity

via VulDB

v118h ago

Initial creation